azure-pipelines-tasks: InstallAppleCertificate@2 Doesn't accept variables for parameter certSecureFile

Closing the issue since the workaround has been found.

I am experiencing the same issue! The same is also happening to me for the InstallAppleProvisioningProfile@1 task

Correct, you can’t use a variable explicitly for a certificate, but by creating a template that takes in parameters, and then just creating N jobs each passing in your required parameters to the template, you are essentially doing the same thing as a matrix, but now on each template call you can define the certificate you wish to use.

To be honest. We publish many apps from one code source, and this covers that solution perfectly. I’m not really sure what benefit being able to use a variable would be. I can’t think of a use case. Even if you could, it’s either a single update to a yml or a single update to the Azure GUI

This has worked perfectly for us now. I think I was simply just too focused on using a matrix that I forgot about the other tools in the shed.

Using a template paramater sounds like it could work. I’ll try it out and post the results here. Thanks!

Thought: It would still feel “broken” though. Since using variables works only at the root level, and not lower. But this is the intended usage of variables. The paramaters sound like a viable workaround.

@Guuz I see that you’re using variable groups but as per the article mentioned above Variable groups are themselves a resource subject to authorization, so their data is likewise not available when checking resource authorization. I guess the only way here might be to pass secure files as template parameters somehow. Here you can find more information about template parameters.

I think the YAML might help. since i’m using templates already. but this seems to cause the issue. The below YAML files are obviously shortend by A LOT. just to show you the most important parts:

# Part of the main pipeline that runs. contains other stages for testing for instance.
# And will later deploy to ACC, and with a manual approval build and deploy to PROD.
stages:
  - stage: build_acc
    jobs:
      - job: build_ios_acc
        variables:
          - group: ios_acc_variables
        steps:
          - template: pipeline-helpers/acc/build-ios.yml
      - job: build_android_acc
        variables:
            - group: android_acc_variables
        steps:
          - template: pipeline-helpers/acc/build-android.yml

# Part of the build-ios.yml file.
steps:
  - task: CocoaPods@0
    inputs:
      projectDirectory: 'ios'
  - task: InstallAppleCertificate@2
    inputs:
      # This is what breaks
      certSecureFile: '$(p12FileName)'
      certPwd: '$(p12Password)'
      keychain: 'temp'
      deleteCert: true

The “Authorize resources” button seems to work. But does not fix the issue. The resources have also already been given access to all pipelines anyway.

Moving the variables to the root level will cause this to work. Proving the bug. But they can’t be at the root level because we need to differentiate between ACC and PROD. Let alone that the iOS and Android steps (templates) might use the same variable so even they need to be different. The root scope is not an option, and shouldn’t be in scenario’s like this.

Thanks for helping and looking into this!

@LaurentGoderre @Zanchee Thank you for the information you’ve provided! We’ll investigate this issue and keep you posted on the results.

From what I can tell, there is some validation that happen on the pipeline definition before the variable substitution so the build doesn’t even start. I am not able to find any of that logic in this repo though.